Re: [pfSense-discussion] IDS yet?
Going through some old email, sorry for the anachronism. On 10/4/06, Bill Marquette <[EMAIL PROTECTED]> wrote: > Sorry, but I do not agree totally with you: the thing I love with pfSense is > that it is possible to install it everywhere, so it could be a _real_ > competitor to enterprise products (like Cisco ASA). So, I think that > CPU-power should not be a limit. Yep, and when you deploy end-to-end encryption, the "One Big NIDS" isn't going to help you very much. Plus, there's plenty of evasion techniques that rely on the NIDS not knowing the network topology or how the endpoint will interpret a series of packets. So the end result is either false alarms, or having to enter details about your endpoints and topology, or features to "learn" that information. But it's all rearranging deck chairs on the Titanic. Let me put it this way; if I send you the last fragment in a packet, wait n seconds, then send you the other fragments, how does the NIDS know whether the endpoint has timed out the fragment reassembly, in which case the packet is not passed to the application, versus if it kept the fragment, in which case the packet is passed to the application? Now think about every single parameter in the stack and you'll start to get an idea of how impossible this is. If your NIDS tries to handle all possibilities, not only do you have lots of false positives, but there's a state explosion that I can use to DoS your NIDS. Let me put it this way; if all your clients starts up massive transfers, then a single NIDS at the gateway must be prepared to handle it - basically, you have to have capacity for the whole uplink. But with NIDS being done at the endpoint, which I call a distributed host-based IDS, then each machine is responsible for its own traffic. You don't have to pay for your uplink speed; each endpoint transfers at the rate it can handle, automatically throttling itself if the IDS portion takes a CPU hit. The gateway NIDS can then be used to monitor only those machines which can't run it, and for attacks against the network stack itself. We have a serious disadvantage against hardware firewalls. Where they can crank out ASICs tuned to specific needs (which comes with a disadvantage we don't have...flexibility), we're stuck with general purpose CPU's which aren't necessarily fast. What an ASIC can do now, in ~3 years a general-purpose CPU can do it. So all that investment in ASIC design gets expensive; but if you don't keep pumping money into it, then the general-purpose CPUs will catch up, offering returns to scale that you can't match no matter how popular your NIDS. What really matters the most is the parallelization, in that you can have a board with 8 ASICs. But SMP can play that game too, with more cost-effective pieces, that have more utility than that one task. Let us also not forget that CPU's aren't getting faster, they're scaling wider Mostly that's due to the limited bandwidth of RAM, not a problem with CPU technology. A modern CPU can have a thread execute instructions as fast as RAM can deliver them. So you have things like dual-channel, where you've got two parallel paths to RAM, so hopefully it can deliver two instruction streams at full speed. And so if the RAM isn't speeding up, but getting wider, of course the CPU is going to go that way, because RAM is the bottleneck. The question is whether packet inspection could benefit from this; i.e. is the problem parallelizable? I think that it is, at least for different sessions. Right now people doing heavy-duty centralized IDS have to buy mutliple overpriced boards with proprietary designs, populated with many ASICs, and then have to get a session-aware load balancer to distribute them. So yes, it is parallelizable. And networks are getting faster; perhaps not at the acceleration of CPU power, but WAY faster than RAM and disk. This means that there's going to be more pressure on the NIDS system. For more information, and some rules of thumb, check out: http://storagemojo.com/?page_id=207 -- "It's not like I'm encrypting... it's just that my communications developed a massive entropy deficiency." -><- http://www.subspacefield.org/~travis/> GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Re: [pfSense-discussion] IDS yet?
On 10/6/06, Chris Buechler <[EMAIL PROTECTED]> wrote: Scott Ullrich wrote: > It is a delayed IDS. Generally an IPS hooks into the network stack > directly and does not allow the traffic to pass through until its > scanned. Yep, sometimes these are called intrusion reaction systems, reactive firewalls, or other sundry terms. And generally you probably aren't going to want to hook snort into your network stack like that, because of the limitations of PC hardware. You could, theoretically, disable routing, then let the BPF read packets on one side and inject them on the other. However, the performance penalty of moving into userspace, through an application (scheduler latency), and then out to kernel space again, is probably prohibitive. But at least you know when you're hitting your limit without risking dropped packets. What you really want to do is be able to load the matching up into the kernel using some sort of sandboxing so that the complicated decoders and such don't cause a kernel panic. Some recent research papers show that this can be done with a ~17% performance penalty on x86 hardware with instruction re-writing. Then you can do all your work without incurring a copy/remap between kernelspace and userland. -- "It's not like I'm encrypting... it's just that my communications developed a massive entropy deficiency." -><- http://www.subspacefield.org/~travis/> GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Re: [pfSense-discussion] IDS yet?
Chris Buechler schrieb: > And generally you probably aren't going to want to hook snort into your > network stack like that, because of the limitations of PC hardware. > Commercial IPS devices process rules through ASIC's, which enables them > to fully evaluate every single packet before passing it without > incurring much of a performance penalty (if any). We don't have that > luxury in the PC hardware world. > Apropos ASIC ... -> http://www.cavium.com/acceleration_boards_NII_NIC.htm -> http://www.sensorynetworks.com/Products/ If the hardware device got a FPGA ... -> http://www.opencores.org/browse.cgi/by_category -- Mit freundlichen Gruessen / With kind regards DAn.I.El S. Haischt Spammers, please please send any mail to: Daniel S. Haischt <[EMAIL PROTECTED]> Want a complete signature??? Type at a shell prompt: $ > finger -l [EMAIL PROTECTED]
Re: [pfSense-discussion] IDS yet?
Scott Ullrich wrote: It is a delayed IDS. Generally an IPS hooks into the network stack directly and does not allow the traffic to pass through until its scanned. And generally you probably aren't going to want to hook snort into your network stack like that, because of the limitations of PC hardware. Commercial IPS devices process rules through ASIC's, which enables them to fully evaluate every single packet before passing it without incurring much of a performance penalty (if any). We don't have that luxury in the PC hardware world.
Re: [pfSense-discussion] IDS yet?
On 10/5/06, Jason J. Ellingson <[EMAIL PROTECTED]> wrote: Snort is kicking some great arse! I'm really loving it. Any way to get it to syslog? I see a lot of MS-SQL worms and such and would (for giggles) like to see all the snort alerts. System logs only shows the attacking IP and not what kind of attack. Who is the sponsor for Snort, I want to buy them a beer! PS: I'm using "ac" mode. "ac-std" uses all the system RAM (512MB). I will look into adding a syslog mechanism. Scott
RE: [pfSense-discussion] IDS yet?
Snort is kicking some great arse! I'm really loving it. Any way to get it to syslog? I see a lot of MS-SQL worms and such and would (for giggles) like to see all the snort alerts. System logs only shows the attacking IP and not what kind of attack. Who is the sponsor for Snort, I want to buy them a beer! PS: I'm using "ac" mode. "ac-std" uses all the system RAM (512MB). - Jason
RE: [pfSense-discussion] IDS yet?
Just to make this clear (besides the technical differences between IDS/IPS), the snort package optionally can block (it's a checkbox). Holger > -Original Message- > From: Scott Ullrich [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 05, 2006 10:23 PM > To: discussion@pfsense.com > Subject: Re: [pfSense-discussion] IDS yet? > > > On 10/5/06, Chris Godwin <[EMAIL PROTECTED]> wrote: > > Am I correct about Snort being able to block as well as > detect? Isn't > > this IDS/IPS, not just IDS. > > It is a delayed IDS. Generally an IPS hooks into the network stack > directly and does not allow the traffic to pass through until its > scanned. > > This is the counter of that, where a packet may be let through and > then a block rule is added 50ms later, etc. > > Scott >
Re: [pfSense-discussion] IDS yet?
On 10/5/06, Chris Godwin <[EMAIL PROTECTED]> wrote: Am I correct about Snort being able to block as well as detect? Isn't this IDS/IPS, not just IDS. It is a delayed IDS. Generally an IPS hooks into the network stack directly and does not allow the traffic to pass through until its scanned. This is the counter of that, where a packet may be let through and then a block rule is added 50ms later, etc. Scott
RE: [pfSense-discussion] IDS yet?
Am I correct about Snort being able to block as well as detect? Isn't this IDS/IPS, not just IDS. Chris Godwin Linux/Unix Consultant Network Logistic, Inc. Get help at http://www.networklogistic.com/help
RE: [pfSense-discussion] IDS yet?
A WRAP (266MHz Geode) is maxed out at 32 mbit/s (with optimum packetsize). However with enabled trafficshaper and lots of traffic (bittorrent for example) it's not able to keep up at my 16/1 mbit/s adsl2+ connection. Depending on your WAN speed or if you need LAN to OPT traffic these devices reach thier limits sooner or later. Holger > -Original Message- > From: Donald Pulsipher [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 04, 2006 8:03 PM > To: discussion@pfsense.com > Subject: Re: [pfSense-discussion] IDS yet? > > > > Its a 4801 with the fastest processor I could get (266). > We'll see what I can do with it, I don't plan on using a > default config with snort. I know I'm going to have to tweak > it. With the right setup, I believe running snort on the > embedded image _is_ fea > sable. If I do manage to pull it off, I'll share what I did. > > -Don > > On Wed, 4 Oct 2006 13:01:44 -0500, "Bill Marquette" > <[EMAIL PROTECTED]> wrote: > > On 10/4/06, Donald Pulsipher <[EMAIL PROTECTED]> wrote: > >> > >> According to my rough calculations, I can do maybe 40mbps > throughput > > before I peg the cpu. Or maybe I'm just dreaming, but I > plan on testing > > it. > > > > With a 4801 or wrap??? Try again :) We peg the CPU on those boards > > well before 40mbit...I think the last benchmark I saw was 30+mbit. > > > > --Bill > >
Re: [pfSense-discussion] IDS yet?
Its a 4801 with the fastest processor I could get (266). We'll see what I can do with it, I don't plan on using a default config with snort. I know I'm going to have to tweak it. With the right setup, I believe running snort on the embedded image _is_ feasable. If I do manage to pull it off, I'll share what I did. -Don On Wed, 4 Oct 2006 13:01:44 -0500, "Bill Marquette" <[EMAIL PROTECTED]> wrote: > On 10/4/06, Donald Pulsipher <[EMAIL PROTECTED]> wrote: >> >> According to my rough calculations, I can do maybe 40mbps throughput > before I peg the cpu. Or maybe I'm just dreaming, but I plan on testing > it. > > With a 4801 or wrap??? Try again :) We peg the CPU on those boards > well before 40mbit...I think the last benchmark I saw was 30+mbit. > > --Bill
Re: [pfSense-discussion] IDS yet?
On 10/4/06, Donald Pulsipher <[EMAIL PROTECTED]> wrote: According to my rough calculations, I can do maybe 40mbps throughput before I peg the cpu. Or maybe I'm just dreaming, but I plan on testing it. With a 4801 or wrap??? Try again :) We peg the CPU on those boards well before 40mbit...I think the last benchmark I saw was 30+mbit. --Bill
RE: [pfSense-discussion] IDS yet?
According to my rough calculations, I can do maybe 40mbps throughput before I peg the cpu. Or maybe I'm just dreaming, but I plan on testing it. On Wed, 4 Oct 2006 12:34:08 -0500, "Jason J. Ellingson" <[EMAIL PROTECTED]> wrote: > I was under the impression that Snort takes a lot of CPU power and RAM > (100MB+ even in "lowmem" mode?). I don't know if a Soekris/WRAP could > handle it. > > - Jason > > -Original Message- > From: Donald Pulsipher [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 04, 2006 12:04 PM > To: discussion@pfsense.com > Subject: Re: [pfSense-discussion] IDS yet? > > > The /pkg_mgr.php and related files are still in the www directory, I > just pointed to them in my url. > > If I upgrade to RC3, is there an easy way to change the embedded image > to support packages ? Otherwise I could always just compile and install > snort myself I guess. > > Thanks for your replies. > > BTW, pfSense completely rocks. I love it. I've been running it on > Soekris hardware for about 2 years now. The only feature I was waiting > for was IDS. > > -Don > > On Wed, 4 Oct 2006 12:00:51 -0500, "Bill Marquette" > <[EMAIL PROTECTED]> wrote: >> On 10/4/06, Donald Pulsipher <[EMAIL PROTECTED]> wrote: >>> >>> I tried to install the snort package but get an error. This was on my >> Soekris embedded box with the embedded version 1.0-RC1a. >> >> Two problems here. >> 1. RC1 is ancient, the snort package only works on RC3 and above >> 2. Embedded doesn't support packages, either we still had that in RC1 >> (unlikely) or you've bypassed those checks somehow >> >> --Bill
RE: [pfSense-discussion] IDS yet?
I was under the impression that Snort takes a lot of CPU power and RAM (100MB+ even in "lowmem" mode?). I don't know if a Soekris/WRAP could handle it. - Jason -Original Message- From: Donald Pulsipher [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 04, 2006 12:04 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] IDS yet? The /pkg_mgr.php and related files are still in the www directory, I just pointed to them in my url. If I upgrade to RC3, is there an easy way to change the embedded image to support packages ? Otherwise I could always just compile and install snort myself I guess. Thanks for your replies. BTW, pfSense completely rocks. I love it. I've been running it on Soekris hardware for about 2 years now. The only feature I was waiting for was IDS. -Don On Wed, 4 Oct 2006 12:00:51 -0500, "Bill Marquette" <[EMAIL PROTECTED]> wrote: > On 10/4/06, Donald Pulsipher <[EMAIL PROTECTED]> wrote: >> >> I tried to install the snort package but get an error. This was on my > Soekris embedded box with the embedded version 1.0-RC1a. > > Two problems here. > 1. RC1 is ancient, the snort package only works on RC3 and above > 2. Embedded doesn't support packages, either we still had that in RC1 > (unlikely) or you've bypassed those checks somehow > > --Bill
Re: [pfSense-discussion] IDS yet?
SH. Don't tell anyone this. ;) Scott On 10/4/06, Donald Pulsipher <[EMAIL PROTECTED]> wrote: The /pkg_mgr.php and related files are still in the www directory, I just pointed to them in my url. If I upgrade to RC3, is there an easy way to change the embedded image to support packages ? Otherwise I could always just compile and install snort myself I guess. Thanks for your replies. BTW, pfSense completely rocks. I love it. I've been running it on Soekris hardware for about 2 years now. The only feature I was waiting for was IDS. -Don On Wed, 4 Oct 2006 12:00:51 -0500, "Bill Marquette" <[EMAIL PROTECTED]> wrote: > On 10/4/06, Donald Pulsipher <[EMAIL PROTECTED]> wrote: >> >> I tried to install the snort package but get an error. This was on my > Soekris embedded box with the embedded version 1.0-RC1a. > > Two problems here. > 1. RC1 is ancient, the snort package only works on RC3 and above > 2. Embedded doesn't support packages, either we still had that in RC1 > (unlikely) or you've bypassed those checks somehow > > --Bill
Re: [pfSense-discussion] IDS yet?
The /pkg_mgr.php and related files are still in the www directory, I just pointed to them in my url. If I upgrade to RC3, is there an easy way to change the embedded image to support packages ? Otherwise I could always just compile and install snort myself I guess. Thanks for your replies. BTW, pfSense completely rocks. I love it. I've been running it on Soekris hardware for about 2 years now. The only feature I was waiting for was IDS. -Don On Wed, 4 Oct 2006 12:00:51 -0500, "Bill Marquette" <[EMAIL PROTECTED]> wrote: > On 10/4/06, Donald Pulsipher <[EMAIL PROTECTED]> wrote: >> >> I tried to install the snort package but get an error. This was on my > Soekris embedded box with the embedded version 1.0-RC1a. > > Two problems here. > 1. RC1 is ancient, the snort package only works on RC3 and above > 2. Embedded doesn't support packages, either we still had that in RC1 > (unlikely) or you've bypassed those checks somehow > > --Bill
Re: [pfSense-discussion] IDS yet?
Snort requires 1.0-RC3. On 10/4/06, Donald Pulsipher <[EMAIL PROTECTED]> wrote: I tried to install the snort package but get an error. This was on my Soekris embedded box with the embedded version 1.0-RC1a. Here is the output : - Installation of snort FAILED! Downloading package configuration file... failed! Installation aborted. Installation halted. - Do I need to do something to the installed embedded version to allow it to install packages ? Or am I SOL because its embedded ? -Don On Wed, 4 Oct 2006 11:07:15 -0500, "Bill Marquette" <[EMAIL PROTECTED]> wrote: > On 10/4/06, Holger Bauer <[EMAIL PROTECTED]> wrote: >> No, it sees everything. For example running at my WAN though nearly > everything is blocked it detects portscans too and will block this IP (if > enabled) so it can't start a bruteforce against my open ports. If you are > lucky it will even block the intruder before it reaches open ports on your > system for example :-) > > > To be fair, ONLY stateless signatures (or signatures of attacks that > only need one packet to do the damage) and the port scan engine can > make any kind of detection on traffic blocked at the firewall. But > hey, who really cares that someone is trying some uber attack against > you if there's nothing listening? If you want to know that, I'm > afraid you need a honeypot. > > --Bill
Re: [pfSense-discussion] IDS yet?
On 10/4/06, Donald Pulsipher <[EMAIL PROTECTED]> wrote: I tried to install the snort package but get an error. This was on my Soekris embedded box with the embedded version 1.0-RC1a. Two problems here. 1. RC1 is ancient, the snort package only works on RC3 and above 2. Embedded doesn't support packages, either we still had that in RC1 (unlikely) or you've bypassed those checks somehow --Bill
RE: [pfSense-discussion] IDS yet?
Snort hooks into bpf, bpf gets 1st look at all traffic. Greg > -Original Message- > From: Jason J. Ellingson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 04, 2006 2:58 PM > To: discussion@pfsense.com > Subject: RE: [pfSense-discussion] IDS yet? > > So far, I like the new Snort package. Very nice and easy to set up. > You have my praises! > > If I am correct, the Snort package only sees traffic that was > not blocked by firewall rules? > > - Jason >
Re: [pfSense-discussion] IDS yet?
I tried to install the snort package but get an error. This was on my Soekris embedded box with the embedded version 1.0-RC1a. Here is the output : - Installation of snort FAILED! Downloading package configuration file... failed! Installation aborted. Installation halted. - Do I need to do something to the installed embedded version to allow it to install packages ? Or am I SOL because its embedded ? -Don On Wed, 4 Oct 2006 11:07:15 -0500, "Bill Marquette" <[EMAIL PROTECTED]> wrote: > On 10/4/06, Holger Bauer <[EMAIL PROTECTED]> wrote: >> No, it sees everything. For example running at my WAN though nearly > everything is blocked it detects portscans too and will block this IP (if > enabled) so it can't start a bruteforce against my open ports. If you are > lucky it will even block the intruder before it reaches open ports on your > system for example :-) > > > To be fair, ONLY stateless signatures (or signatures of attacks that > only need one packet to do the damage) and the port scan engine can > make any kind of detection on traffic blocked at the firewall. But > hey, who really cares that someone is trying some uber attack against > you if there's nothing listening? If you want to know that, I'm > afraid you need a honeypot. > > --Bill
Re: [pfSense-discussion] IDS yet?
On 10/4/06, Holger Bauer <[EMAIL PROTECTED]> wrote: No, it sees everything. For example running at my WAN though nearly everything is blocked it detects portscans too and will block this IP (if enabled) so it can't start a bruteforce against my open ports. If you are lucky it will even block the intruder before it reaches open ports on your system for example :-) To be fair, ONLY stateless signatures (or signatures of attacks that only need one packet to do the damage) and the port scan engine can make any kind of detection on traffic blocked at the firewall. But hey, who really cares that someone is trying some uber attack against you if there's nothing listening? If you want to know that, I'm afraid you need a honeypot. --Bill
RE: [pfSense-discussion] IDS yet?
Very cool. Perhaps I'll be brave and allow it to block those IPs. Any way to send the Snort alerts to a syslog? I'd like to analyze them. - Jason -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 04, 2006 9:52 AM To: discussion@pfsense.com Subject: RE: [pfSense-discussion] IDS yet? No, it sees everything. For example running at my WAN though nearly everything is blocked it detects portscans too and will block this IP (if enabled) so it can't start a bruteforce against my open ports. If you are lucky it will even block the intruder before it reaches open ports on your system for example :-) Holger > -Original Message- > From: Jason J. Ellingson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 04, 2006 3:58 PM > To: discussion@pfsense.com > Subject: RE: [pfSense-discussion] IDS yet? > > > So far, I like the new Snort package. Very nice and easy to set up. > You have my praises! > > If I am correct, the Snort package only sees traffic that was not > blocked by firewall rules? > > - Jason >
RE: [pfSense-discussion] IDS yet?
No, it sees everything. For example running at my WAN though nearly everything is blocked it detects portscans too and will block this IP (if enabled) so it can't start a bruteforce against my open ports. If you are lucky it will even block the intruder before it reaches open ports on your system for example :-) Holger > -Original Message- > From: Jason J. Ellingson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 04, 2006 3:58 PM > To: discussion@pfsense.com > Subject: RE: [pfSense-discussion] IDS yet? > > > So far, I like the new Snort package. Very nice and easy to set up. > You have my praises! > > If I am correct, the Snort package only sees traffic that was not > blocked by firewall rules? > > - Jason >
RE: [pfSense-discussion] IDS yet?
So far, I like the new Snort package. Very nice and easy to set up. You have my praises! If I am correct, the Snort package only sees traffic that was not blocked by firewall rules? - Jason
Re: [pfSense-discussion] IDS yet?
On 10/4/06, Bill Marquette <[EMAIL PROTECTED]> wrote: On 10/4/06, Tommaso Di Donato <[EMAIL PROTECTED]> wrote:> On 10/4/06, Rainer Duffner <[EMAIL PROTECTED] > wrote:> > At least in this respect, pfSense is still a clear packet-filter only ;-)> > And ideally, it should stay this way while analyzing packet-content> > should occur elsewhere (because it also needs much more CPU-power). >>> Sorry, but I do not agree totally with you: the thing I love with pfSense is> that it is possible to install it everywhere, so it could be a _real_> competitor to enterprise products (like Cisco ASA). So, I think that > CPU-power should not be a limit.We have a serious disadvantage against hardware firewalls. Where theycan crank out ASICs tuned to specific needs (which comes with adisadvantage we don't have...flexibility), we're stuck with general purpose CPU's which aren't necessarily fast. Thankfully, encryptionboards supported by FreeBSD aren't terribly difficult to come by, butthere's other code paths that could be sped up considerably byhardware optimized for it. You're totally right, I know. But I think we have to consider at lest 2 factors:1) I am not aware (please, somebody out there perhaps could help me) of any table or benchmark result that could help us to have a rough estimation of CPU load during a normal IPS work. My intention is to install a solution not gui-managed (just to speed up the testing phase), and try to do such an estimation 2) there can be installations or places, in which a normal hardware (such as mini-itx mobos) could be sufficient to manage the cpu load, because of a small internet link. I only would like to know if this could be of any interest for the community (so at the end of the test, I have to deal with package creation), or if I'll be the only interested in that. Just to know Tom
Re: [pfSense-discussion] IDS yet?
On 10/4/06, Tommaso Di Donato <[EMAIL PROTECTED]> wrote: On 10/4/06, Rainer Duffner <[EMAIL PROTECTED]> wrote: > At least in this respect, pfSense is still a clear packet-filter only ;-) > And ideally, it should stay this way while analyzing packet-content > should occur elsewhere (because it also needs much more CPU-power). Sorry, but I do not agree totally with you: the thing I love with pfSense is that it is possible to install it everywhere, so it could be a _real_ competitor to enterprise products (like Cisco ASA). So, I think that CPU-power should not be a limit. We have a serious disadvantage against hardware firewalls. Where they can crank out ASICs tuned to specific needs (which comes with a disadvantage we don't have...flexibility), we're stuck with general purpose CPU's which aren't necessarily fast. Thankfully, encryption boards supported by FreeBSD aren't terribly difficult to come by, but there's other code paths that could be sped up considerably by hardware optimized for it. Let us also not forget that CPU's aren't getting faster, they're scaling wider (in fact, I think most gamers would confirm that dual core procs don't necessarily speed up their games). FreeBSD doesn't multi-thread routing. The fastest proc today will be no faster than the fastest proc next year (unless AMD comes through with it's inverse SMP plans - presenting multiple cores as a single core to the OS). Also, interrupts are a KILLER on x86 hardware - FreeBSD w/ polling is better at this than OpenBSD (although I haven't personally benched this yet), but it's not free and theres still a limit. --Bill
Re: [pfSense-discussion] IDS yet?
Tommaso Di Donato wrote: On 10/4/06, Rainer Duffner <[EMAIL PROTECTED]> wrote: At least in this respect, pfSense is still a clear packet-filter only ;-) And ideally, it should stay this way while analyzing packet-content should occur elsewhere (because it also needs much more CPU-power). Sorry, but I do not agree totally with you: the thing I love with pfSense is that it is possible to install it everywhere, so it could be a _real_ competitor to enterprise products (like Cisco ASA). So, I think that CPU-power should not be a limit. I agree, I think pfsense devs do a great job. When I need something more than a packet-filter then I will post a bounty. I would encourage all those users who request packet-content analysis features to consider the same.
Re: [pfSense-discussion] IDS yet?
On 10/4/06, Rainer Duffner <[EMAIL PROTECTED]> wrote: At least in this respect, pfSense is still a clear packet-filter only ;-)And ideally, it should stay this way while analyzing packet-contentshould occur elsewhere (because it also needs much more CPU-power). Sorry, but I do not agree totally with you: the thing I love with pfSense is that it is possible to install it everywhere, so it could be a _real_ competitor to enterprise products (like Cisco ASA). So, I think that CPU-power should not be a limit.
Re: [pfSense-discussion] IDS yet?
Daniel S. Haischt wrote: Beside that I always thought Snort is first and foremost an IDS and not an IPS... It can do both, IIRC. But commercial IDS/IPS products have been blurring the line between these two purposes for years - upto a point where I think there is no real distinction possible anymore. Just like various "intelligence"-techniques have blurred the line between packet filter and application firewall in the commercial-firewall world. At least in this respect, pfSense is still a clear packet-filter only ;-) And ideally, it should stay this way while analyzing packet-content should occur elsewhere (because it also needs much more CPU-power). cheers, Rainer
Re: [pfSense-discussion] IDS yet?
Beside that I always thought Snort is first and foremost an IDS and not an IPS... Holger Bauer schrieb: > I suggest just trying the snort package in the way it is now before > discussinng new features so everybody in this discussion knows what we are > talking about. It's easy to setup and configure. You have to be at RC3 for it > to work. > -- Mit freundlichen Gruessen / With kind regards DAn.I.El S. Haischt Spammers, please please send any mail to: Daniel S. Haischt <[EMAIL PROTECTED]> Want a complete signature??? Type at a shell prompt: $ > finger -l [EMAIL PROTECTED]
RE: [pfSense-discussion] IDS yet?
I suggest just trying the snort package in the way it is now before discussinng new features so everybody in this discussion knows what we are talking about. It's easy to setup and configure. You have to be at RC3 for it to work. Holger -Original Message- From: Tommaso Di Donato [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 04, 2006 8:33 AM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] IDS yet? Sorry do you plan to use snort as IDS or as IPS? I think that the former should be easier to implement as a package, but the latter is the direction to follow, in a long term project. Few days ago I saw StillSecure Strataguard, and I found that th eir interface/approach to IPS is very good... If you like to go in that direction, I'll be pleased to help..at least for what I can do... On 10/3/06, Scott Ullrich < [EMAIL PROTECTED]> wrote: On 9/20/06, Scott Ullrich < [EMAIL PROTECTED]> wrote: > There is no IDS package with no intention on creating one. We are > waiting for you all to step up to the plate. I somewhat lied about this. For some reason after seeing your pos t something clicked in my head and I spent a good 35 hours on a IDS package. Upgrade to 1.0-RC3a and you will now find Snort in our packages area. Scott PS: it appears that I also have a sponsor for the package. Will post more information once I secure the funds.
Re: [pfSense-discussion] IDS yet?
Sorry do you plan to use snort as IDS or as IPS? I think that the former should be easier to implement as a package, but the latter is the direction to follow, in a long term project. Few days ago I saw StillSecure Strataguard, and I found that their interface/approach to IPS is very good... If you like to go in that direction, I'll be pleased to help..at least for what I can do...On 10/3/06, Scott Ullrich < [EMAIL PROTECTED]> wrote:On 9/20/06, Scott Ullrich < [EMAIL PROTECTED]> wrote:> There is no IDS package with no intention on creating one. We are> waiting for you all to step up to the plate.I somewhat lied about this. For some reason after seeing your post something clicked in my head and I spent a good 35 hours on a IDSpackage.Upgrade to 1.0-RC3a and you will now find Snort in our packages area.ScottPS: it appears that I also have a sponsor for the package. Will post more information once I secure the funds.
RE: [pfSense-discussion] IDS yet?
I meant SNORT. Sorry - my mistake - thanks. Sam Newnam SystemSam Technologies, LLC www.systemsam.com -Original Message- From: Travis H. [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 03, 2006 4:45 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] IDS yet? On 9/20/06, Sam Newnam <[EMAIL PROTECTED]> wrote: > I've read a couple places but couldn't find a clear answer to whether SQUID > or another intrusion diction system had been integrated yet. SQUID is a cache, not a NIDS. -- Enhance your calm, fellow citizen; it's just ones and zeroes. Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Re: [pfSense-discussion] IDS yet?
On 9/20/06, Scott Ullrich <[EMAIL PROTECTED]> wrote: There is no IDS package with no intention on creating one. We are waiting for you all to step up to the plate. I somewhat lied about this. For some reason after seeing your post something clicked in my head and I spent a good 35 hours on a IDS package. Upgrade to 1.0-RC3a and you will now find Snort in our packages area. Scott PS: it appears that I also have a sponsor for the package. Will post more information once I secure the funds.
Re: [pfSense-discussion] IDS yet?
On 9/20/06, Sam Newnam <[EMAIL PROTECTED]> wrote: I've read a couple places but couldn't find a clear answer to whether SQUID or another intrusion diction system had been integrated yet. SQUID is a cache, not a NIDS. -- Enhance your calm, fellow citizen; it's just ones and zeroes. Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
RE: [pfSense-discussion] IDS yet? (+IPS)
Oh, I know that - separate box and all (or VM). It updates 3rd party FW's though - PIX, Checkpoint, etc. I've never really ventured deep into this realm, so I was reading a bit about how a FW would take external updates to rules... Sam Newnam SystemSam Technologies, LLC www.systemsam.com -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Thursday, September 21, 2006 10:49 AM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] IDS yet? (+IPS) On 9/21/06, Sam Newnam <[EMAIL PROTECTED]> wrote: > I was thinking about using something like this product too... > http://www.stillsecure.org/index.php?rf=vmw > > Says it integrates with IP Tables... Quick thoughts on its compatibility > with PF? It's a dedicated linux install. --Bill
Re: [pfSense-discussion] IDS yet? (+IPS)
On 9/21/06, Sam Newnam <[EMAIL PROTECTED]> wrote: I was thinking about using something like this product too... http://www.stillsecure.org/index.php?rf=vmw Says it integrates with IP Tables... Quick thoughts on its compatibility with PF? It's a dedicated linux install. --Bill
RE: [pfSense-discussion] IDS yet? (+IPS)
I was thinking about using something like this product too... http://www.stillsecure.org/index.php?rf=vmw Says it integrates with IP Tables... Quick thoughts on its compatibility with PF? Sam Newnam SystemSam Technologies, LLC www.systemsam.com -Original Message- From: Chris Godwin [mailto:[EMAIL PROTECTED] Sent: Thursday, September 21, 2006 10:23 AM To: discussion@pfsense.com Subject: RE: [pfSense-discussion] IDS yet? (+IPS) What about Snortsam and ipfw? Is that a possibility. We were thinking about starting a package with snort/snortsam. Chris Godwin Linux/Unix Consultant Network Logistic, Inc. Get help at http://www.networklogistic.com/help -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 20, 2006 3:23 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] IDS yet? On 9/20/06, Sam Newnam <[EMAIL PROTECTED]> wrote: > I've read a couple places but couldn't find a clear answer to whether SQUID > or another intrusion diction system had been integrated yet. I found those > screen shots where it showed the package manager but then read where its > being re-written. Anyway, sorry if I waste someone's time but I just wanted > a clear answer to what was available as far as having that type of system > available. There is no IDS package with no intention on creating one. We are waiting for you all to step up to the plate. Squid is not considered reliable at this point. Scott
RE: [pfSense-discussion] IDS yet? (+IPS)
wa Sam Newnam SystemSam Technologies, LLC www.systemsam.com -Original Message- From: Chris Godwin [mailto:[EMAIL PROTECTED] Sent: Thursday, September 21, 2006 10:23 AM To: discussion@pfsense.com Subject: RE: [pfSense-discussion] IDS yet? (+IPS) What about Snortsam and ipfw? Is that a possibility. We were thinking about starting a package with snort/snortsam. Chris Godwin Linux/Unix Consultant Network Logistic, Inc. Get help at http://www.networklogistic.com/help -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 20, 2006 3:23 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] IDS yet? On 9/20/06, Sam Newnam <[EMAIL PROTECTED]> wrote: > I've read a couple places but couldn't find a clear answer to whether SQUID > or another intrusion diction system had been integrated yet. I found those > screen shots where it showed the package manager but then read where its > being re-written. Anyway, sorry if I waste someone's time but I just wanted > a clear answer to what was available as far as having that type of system > available. There is no IDS package with no intention on creating one. We are waiting for you all to step up to the plate. Squid is not considered reliable at this point. Scott
RE: [pfSense-discussion] IDS yet? (+IPS)
What about Snortsam and ipfw? Is that a possibility. We were thinking about starting a package with snort/snortsam. Chris Godwin Linux/Unix Consultant Network Logistic, Inc. Get help at http://www.networklogistic.com/help -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 20, 2006 3:23 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] IDS yet? On 9/20/06, Sam Newnam <[EMAIL PROTECTED]> wrote: > I've read a couple places but couldn't find a clear answer to whether SQUID > or another intrusion diction system had been integrated yet. I found those > screen shots where it showed the package manager but then read where its > being re-written. Anyway, sorry if I waste someone's time but I just wanted > a clear answer to what was available as far as having that type of system > available. There is no IDS package with no intention on creating one. We are waiting for you all to step up to the plate. Squid is not considered reliable at this point. Scott
Re: [pfSense-discussion] IDS yet?
On 9/20/06, Sam Newnam <[EMAIL PROTECTED]> wrote: I've read a couple places but couldn't find a clear answer to whether SQUID or another intrusion diction system had been integrated yet. I found those screen shots where it showed the package manager but then read where its being re-written. Anyway, sorry if I waste someone's time but I just wanted a clear answer to what was available as far as having that type of system available. There is no IDS package with no intention on creating one. We are waiting for you all to step up to the plate. Squid is not considered reliable at this point. Scott